SharePoint 2010 Install test.. changing mind on service accounts and undoing Wizard created services/dbs?

sharepoint.stackexchange https://sharepoint.stackexchange.com//questions/21300

Question

We have a new 2010 Environment. Ran through quick on our install.. with the likely intention of having to do it again anyways. To keep thing simple, only have two service accounts. The farm admin is the same user for all services. We also let the wizard create all of our services.

Yeah, I've read all the posts about needing 9 accounts per environment. wow.. and how not to let the Wizard create services and web aps and pools automatically. I've heard this can hurt us if one account is compromised and that can lead to accidents. But also think having to manage and carry all those accounts does introduce some security risk too. Also, I understand all those accounts can complicate powershell and maintenance. Also, understand that wizard created services and database will take weird names and not go on seperate web app pools. So what?

Environment is up and all services are up with the same farm admin user. We have one other AD user for safe reading of sharePoint content.

Two questions:

  1. How bad is our configuration like this and where is this going to bite us?

  2. If we want to fix this, can it be done without a complete reinstall. Anybody undo the wizard and split out AD accounts after the fact? How bad to do this?

Was it helpful?

Solution

In my experience it is easiest to rebuild the farm than to try and fix/troubleshoot/validate the environment.

The wizard was created for testing/demo purposes and not meant for production deployments.

OTHER TIPS

I do not agree for rebuild path - you need to learn how to maintain SharePoint environment and now is a good time for that - what if you'll need to reconfigure it because of disaster recovery and data loss won't be an option?

Actually it is not that difficult to change the service account, but first let me explain you why you definitely SHOULD follow Microsoft recommendations:

  1. Managed Accounts - you can't use their features currently, because not all SharePoint services are aware of Managed Account automatic password change. If you enable auto password change, some services will stop working.

  2. Any person logged in to the server with local admin rights can VERY EASY get the application pool password. If that's the same user as SQL server admin, or worse - domain admin etc, your security is lost and probably your sensitive data/environment too. Check it for yourself:

    • Login to your SharePoint Server
    • Run Cmd.exe as administrator (run as administrator option)
    • Run the command %systemroot%\system32\inetsrv\APPCMD list apppool “your_app_pool_name” /text:*
    • Check the [ProcessModel] section in the output..

If you are convinced to change accounts:

  1. Create required accounts in Active Directory (as from Microsoft article you already seen)
  2. Add these accounts to Managed Accounts section in Central Administration
  3. Go to Security - Configure Service Accounts in Central Administration
  4. Change the service accounts and application pool accounts to those created in 1.

That's all - you don't have to reconfigure entire farm and in case you'll need to change accounts in the future, you'll have that experience learned.

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top